The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a… Read More: Dozens of Red Hat packages backdoored through its official NPM… »
Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, laid out Wednesday by security firm Koi, brings attention to an NPM practice that allows installed packages to automatically pull down and run unvetted packages from… Read More: NPM flooded with malicious packages downloaded more than 86,000 times »
Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time,… Read More: Software packages with more than 2 billion weekly downloads hit… »
Some of the payloads were limited to detonate only on specific dates in 2023, but in some cases a phase that was scheduled to begin in July of that year was given no termination date. Pandya said that means the threat remains persistent, although in an email he also wrote: “Since all activation dates have… Read More: Destructive malware available in NPM repo went unnoticed for 2… »
Screenshot showing a graph tracking mining activity. Credit: Checkmarx But wait, there’s more On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent… Read More: Yearlong supply-chain attack targeting security pros steals 390K credentials »
Enlarge / Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They’re becoming increasingly common. (credit: Getty Images) Researchers have discovered yet another set of malicious packages in PyPi, the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar… Read More: 10 malicious Python packages exposed in latest repository attack »
Getty Images reader comments 95 with 73 posters participating, including story author Share this story A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of… Read More: Sabotage: Code added to popular NPM package wiped files in… »
Getty Images reader comments 50 with 36 posters participating Share this story Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript… Read More: NPM package with 3 million weekly downloads had a severe… »
Getty Images reader comments 70 with 58 posters participating Share this story Counterfeit packages downloaded roughly 5,000 times from the official Python repository contained secret code that installed cryptomining software on infected machines, a security researcher has found. The malicious packages, which were available on the PyPI repository, in many cases used names that mimicked… Read More: Ahoy, there’s malice in your repos—PyPI is the latest to… »